The files of data breached included patients’ personal identifying information, like their names, addresses and birthdays, as well as their medical diagnoses. The files also include at least tens of thousands of scanned diagnostic results and letters to insurers. In other words, considerable quantities of personal identifiable information was made available. As an example, some of the information was highly personal, such as an MS Excel spreadsheet named “2018_colonoscopies” which contains the names of 102 patients in conjunction with the medical procedure.
While the hacker group that posted the files is apparently well known to cybersecurity researchers, the motive for the release of the files, and why healthcare was considered to be a legitimate target, is unclear.
To understand more, Digital Journal spoke with James Carder, Chief Security Officer & Vice President of LogRhythm Labs.
According to Carder, this incident forms part of a troubling trend: “This is yet another unfortunate instance of hackers using ransomware to attack hospitals to gain sensitive patient information and leak it onto the dark web. Medical records continue to be the highest value record being stolen due to how financially lucrative the personally identifiable information (PII) and protected health information (PHI), which cannot be changed or updated like you can with a credit card number, is for attackers.”
Moving on to the specific event, Carder notes: “Leon Medical Centers and Nocona General Hospital’s patients whose information was posted to the dark web are now vulnerable to a number of attacks due to their sensitive PII and PHI data being accessible, including various methods of credit, insurance, and payment fraud. They could also face extortion-based attacks threatening to disclose sensitive medical diagnosis or images if payments are not made. Additionally, it is conceivable that the medical state, diagnosis, allergy or prescription information for high profile patients could be of interest to nation states, terrorist groups, or other threat actors looking to do physical harm.”
In terms of the wider implications, Carder assesses: “Hospitals that do not pay ransoms will unfortunately see serious impacts. Their systems could go down, including electronic health records and life-sustaining medical devices. This has a significant impact to business revenue and could put hospital patients at serious risk. We saw this happen in Germany last year when a ransomware attack eventually led to the death of a patient after the attack prevented a hospital from providing proper treatment due to network failure.”
In terms of lesson to be learned and with future actions, Carder recommends: “No matter where an organization stores their data, real-time monitoring and clear visibility are crucial for rapidly detecting and neutralizing security threats. Given the current evolving threat landscape and increased focus on healthcare by cybercriminals, companies must leverage authentication and access controls, and response capabilities, to ensure private documents will be safeguarded and patients remain protected.”